Where’s the data?

The U.S. government wants access to an alleged drug dealer’s emails, but Microsoft says, sorry, they’re in Ireland and out of bounds. This is what happens when we apply non-digital rules to digital situations.

It’s a time-honored tradition: U.S. businesses find ways to skirt inconvenient or expensive laws by moving operations to other countries. Thus we have had U.S. corporations operating overseas to exploit child labor, run sweatshops or avoid taxes and rigorous health and safety inspections. Now the U.S. government says something similar is happening in regards to email.

At issue is the question of whether companies or individuals can keep the U.S. government from accessing their email by arguing that it resides on a server in a country that is hostile to such searches. The most recent development came last week (March 9) in a case that involves Microsoft, a U.S. citizen accused of narcotics trafficking and an MSN email server sitting in Dublin, Ireland. The case’s supporting players read like the game “which of these are different from the others?”: On Microsoft’s side is Verizon, AT&T, Apple, Cisco — and the Electronic Freedom Foundation.

From their point of view, they are challenging the federal government’s ability to access email records if those documents are stored outside of the U.S. From the government’s perspective, the question is whether a company can skirt legal inquiries by simply choosing to house records in a friendlier country. Think of Ireland in this case as the email equivalent of what the tax-avoiding Swiss bank account used to be.

The problem, of course, is that in 2015, the U.S. is trying to apply years-old, non-digital rules to digital situations. The reality is that companies like Microsoft, Amazon and Google can have servers of all kinds sitting in server farms in dozens of locations, some of them overseas.

Microsoft argues that it had a specific reason for placing the emails in question on a server in Ireland: proximity to the user. Or at least proximity to where it thinks the user is located. You see, MSN users can tell Microsoft they’re in Ireland, and the company has absolutely no mechanism for verifying that — not even checking IP address location.

“Email accounts are assigned to the Dublin datacenter, according to Microsoft, based on the user’s own uncorroborated identification of his or her country of residence at the time the account is created. The stated aim of this policy is to reduce the geographic distance between a user and the datacenter that services the account,” the government said in its federal appeals court filing last week. “Microsoft makes no effort, however, to verify the user’s country of residence at the time of registration or at any time thereafter. Under this system, a U.S. citizen living in New York City could have his account hosted at the Dublin datacenter so long as he claimed to be a resident of Ireland.”

What started this case was a 2013 federal search warrant aimed at Microsoft and one of its MSN email customers. The U.S. Justice Department insisted that Microsoft turn over any messages from that customer “pertaining to narcotics, narcotics trafficking, importation of narcotics into the United States, money laundering or the movement or distribution of narcotics proceeds.”

The case hits on several interesting issues. If a server is situated in Ireland — or India or Japan — should it be subject to the rules of those countries? Before you answer, what if the U.S. email provider that owns that server routinely accessed — for legitimate IT purposes — all of those messages from desks in the U.S.? As the bits zap across the globe electronically in a few nanoseconds, who is to say where they physically reside? Could a company routinely shift data from machines in a dozen countries and have that data governed only by where it resides at that moment? What if copies reside in all of those servers? Is this a global email version of musical chairs?

The feds last week said that it’s not a matter of where the data sits, but who is playing the music. “Courts are empowered to exert authority on people and entities over whom they have jurisdiction, even if that authority has consequences overseas,” the feds wrote. “The test for the production of documents is control, not location.”

Another issue: Who really owns that subpoenaed data? Microsoft, which apparently never read its own MSN terms and conditions, said its customers own the data and that it’s not up to Microsoft to rat on its consumers.

And Microsoft has countered with its own colorful example: “Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter’s box with a master key, rummage through it, and fax the private letters to the Stadtpolizei. The U.S. Secretary of State fumes: ‘We are outraged by the decision to bypass existing formal procedures that the European Union and the United States have agreed on for bilateral cooperation, and to embark instead on extraterritorial law enforcement activity on American soil in violation of international law and our own privacy laws.’ Germany’s Foreign Minister responds: ‘We did not conduct an extraterritorial search — in fact we didn’t search anything at all. No German officer ever set foot in the United States. The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter’s privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate.’”

Microsoft then made its point: “The letters the reporter placed in a safe deposit box in Manhattan are her private correspondence, not the bank’s business records. The seizure of that private correspondence pursuant to a warrant is a law enforcement seizure by a foreign government, executed in the United States, even if it is affected by a private party whom the government has conscripted to act on its behalf.”

Jennifer Daskal, a former counsel at the U.S. Department of Justice and lawyer for Human Rights Watch who is now a law professor at the American University in Washington, D.C., has been writing extensively about this case.

“We now live in a world in which most of us trust just about all of our private communications and other documents to third parties for transit or storage. The implication that all such data could be obtained by administrative subpoena as the government suggests — is troubling, to say the least,” Daskal wrote. “More importantly, the government fails to acknowledge that even if there is not a direct conflict of laws, its approach violates the long-standing presumption against unilateral law enforcement actions in another state’s territory. Of particular concern, it opens the door for other nations compelling ISPs to turn over data located in the United States, including that of U.S. citizens, possibly for nefarious purposes, and without regard to the dictates of the (Stored Communications Act). As the government notes, the UK has already passed such legislation and others will undoubtedly follow suit.”

Daskal’s point is on target. Consider diplomatic immunity. The only reason we give a get-out-of-jail-free card to diplomats is so that other governments will reciprocate. Otherwise, having diplomats in certain not-so-friendly countries would be impossible.

Let’s bring this all back to email and any other form of digital data that IT has to handle. Although it’s certainly the easiest path for the government to just slap a legal demand on a U.S. company, the big concern must be global precedent. Everyone in this case is choosing the most palatable characters for their arguments. Justice chose to take an effort involving an accused drug dealer as its test case. Microsoft couched its counterargument in terms of a U.S. journalist.

Do people with a Gmail account even know what country their data is housed in? Should they care? That thinking favors the government’s argument, that Google email is seen by customers as being from Google, a U.S. company, just as MSN is seen as Microsoft.

Courts — and legislators and the White House — need to take these issues very seriously. The global backlash could have a wildly unforeseen impact.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek, Computerworld and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman.